Nice try, Mr. Grande, the plaintiff's lawyer, but I don't suspect there will be any cigars. Many articles on the issue have pointed out the same opinion. This post is a minor amplification why.

First, data breaches, as unfortunate as they are, are not unique to any one institution or industry. Rather they are the product of technology getting ahead of the law and social norms and appropriate business practices to cabin information properly. Criminals being of a mind to take any advantage that comes their way have seized on opportunities that identity theft in the digital domain afford them, and stories to that effect now pervade the popular media. Everyone is scrambling to catch up: technical security experts, business process mavens, law enforcement, businesses that truck in personally identifiable information and not least consumers.

Why wouldn't plaintiff lawyers want to get into the game? Because I tend to tip slightly in favor of the public policy reasons for tort law, I cannot condemn plaintiff lawyers for wanting to test the waters of new areas of law. Personally, if I were a young buck(ess?) attorney in this area I would open a practice specializing in plaintiff privacy torts in electronic realm. Those torts would be along the lines of "invasion of privacy" or "misappropriation of likeness," not, however, class action suits for breaches of personally identifiable information. The former is the real cutting edge; the latter is too sweeping, too anonymous, and already is addressed by state data breach notification laws, soon to be federalized.

In situations where institutions can be shown to have exercised true negligence, for example they have no security program, perhaps there might be a scintilla of a claim. If intentionally stolen by an employee for sale to identify thieves, one might even ask questions about human resources practices and non-disclosure policies and training. But the run of the mill causes of so many of these breaches are to date far too ubiquitous a problem for colleges and universities -- the spread sheet that accidentally gets put up by a department or the unfortunate stolen computer -- to be fodder for a successful tort claim, at least for some time. There will come a day when technical security, the law, business practice will be in greater harmony to create an industry and legal standard for negligence. Until that day we must deal with some degree of uncertainty and play a "keep up with the Jone's" game to maintain relative parity not only among and between colleges and universities but between our not for profit sector and the for profit corporate community.

Continuing together to work toward that harmony is currently the best approach for IT departments nation-wide. And here the shout out is to EDUCAUSE and the work that it does currently and has done historically, especially under Mark Luker, to have the information technology community learn from each other the best practices for technical security and institutional policy. For more information, see: http://www.educause.edu/security